A proposed rule out for public comment would give the secretary discretion over how implement a May executive order.
The Commerce Department is set to publish a proposed rule giving the Commerce Secretary “case-by-case” authority to enforce an executive order banning transactions with suspect foreign telecommunications companies.
An executive order signed in May by President Trump restricts U.S. companies from purchasing any telecommunications equipment produced by companies “owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary.”
Specifically, the order prohibits telecom equipment purchases that “poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation or maintenance of information and communications technology or services in the United States; poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.”
While the order does not name specific countries, officials have linked it to provisions passed by Congress prohibiting federal contractors and contracts from including technologies from Chinese companies Huawei, ZTE, Hytera Communications, Hangzhou Hikvision Digital Technology and Dahua Technology.
The Commerce Department was given 150 days to propose a rule and procedures for reviewing such transactions and determining whether they should be prohibited. Rather than instituting a blanket ban, Commerce Secretary Wilbur Ross has opted “to adopt a case-by-case, fact-specific approach,” according to a release announcing the proposed rule.
“While Executive Order 13873 empowers the secretary immediately to prohibit or mitigate ICTS transactions that pose the risks identified in the executive order, the proposed rule sets forth procedures the secretary will follow, except in instances where the risk of public harm or national security interests require a deviation from such procedures,” the release states.
According to the release, the Commerce Secretary will make the initial decision on whether specific transactions are allowed under the new rule, in consultation with other relevant agencies, like the Homeland Security Department. Once a prohibition or mitigation decision is made, the affected parties will have the opportunity to appeal, which can also include proposing alternative transactions.
After the appeal process, the secretary will make a final decision, which will be unclassified and made available to all parties involved.
“These actions will safeguard the Information and Communications Technology Supply Chain,” Ross said Tuesday. “These rules demonstrate our commitment to securing the digital economy, while also delivering on President Trump’s commitment to our digital infrastructure.”
Justin Sherman, a cybersecurity policy fellow at the think tank New America, was more skeptical.
"The United States federal government is obviously correct in identifying the need to better manage supply chain security risks in an age of growing global interconnection. But giving itself sweeping powers to decide which companies are and are not a cybersecurity risk, in a less-than-transparent manner, is not the right way to do it,” he said Tuesday.
Sherman cited confusion around Huawei and the push to develop secure 5G technologies as an example, where many are conflating the national security risk of a foreign-owned company under heavy government influence building U.S. infrastructure versus the economic risk of an adversary dominating the market.
“Many countries don't know if American officials are raising legitimate cybersecurity concerns or using them as political playing pieces in a trade war,” Sherman said. “Instead of continuing along this front by giving Commerce sweeping and flexible authority to designate foreign companies as supply chain security threats, the U.S. government would be better off setting up a repeatable, standardized, transparent approach that doesn't resemble whack-a-mole."
Once posted, the rule will be open for public comment for 30 days.
Defense One’s Patrick Tucker contributed to this report.